# -*- coding: utf-8 -*-
"""Location: ./tests/unit/mcpgateway/middleware/test_http_auth_integration.py
Copyright 2025
SPDX-License-Identifier: Apache-2.0
Authors: ContextForge

Integration tests for HTTP authentication middleware using the real main.py app.

Tests the complete flow:
- HTTP_PRE_REQUEST: Header transformation
- HTTP_AUTH_RESOLVE_USER: Custom authentication
- HTTP_POST_REQUEST: Response header modification
"""

# Standard
from datetime import datetime, timezone
from unittest.mock import patch, MagicMock

# Third-Party
from fastapi.testclient import TestClient
import pytest

# First-Party
from mcpgateway.config import settings
from mcpgateway.plugins.framework import (
    HttpHeaderPayload,
    HttpHookType,
    PluginResult,
    PluginViolation,
    PluginViolationError,
)


@pytest.mark.skipif(not settings.plugins_enabled, reason="Plugins must be enabled for HTTP auth integration tests")
class TestHttpAuthMiddlewareIntegration:
    """Integration tests using the real FastAPI app from main.py."""

    @pytest.fixture
    def test_client_with_http_auth(self, app):
        """Create test client with HTTP auth middleware enabled."""
        # The app fixture from conftest.py already loads the real app
        # We'll patch the plugin manager to add our test plugins

        # Create mock plugin manager with test hooks
        async def mock_invoke_hook(hook_type, payload, global_context, local_contexts=None, violations_as_exceptions=False):  # noqa: ARG001
            if hook_type == HttpHookType.HTTP_PRE_REQUEST:
                # Transform X-API-Key → Authorization
                headers = dict(payload.headers.root)
                if "x-api-key" in headers and "authorization" not in headers:
                    headers["authorization"] = f"Bearer {headers['x-api-key']}"
                    return PluginResult(modified_payload=HttpHeaderPayload(headers), continue_processing=True), {}
                return PluginResult(continue_processing=True), {}

            if hook_type == HttpHookType.HTTP_AUTH_RESOLVE_USER:
                # Custom API key authentication
                if payload.credentials and payload.credentials.get("scheme") == "Bearer":
                    token = payload.credentials.get("credentials")

                    # Simulate API key authentication
                    if token == "test-api-key-123":
                        return (
                            PluginResult(
                                modified_payload={
                                    "email": "apiuser@example.com",
                                    "full_name": "API User",
                                    "is_admin": False,
                                    "is_active": True,
                                    "password_hash": "",
                                    "email_verified_at": datetime.now(timezone.utc),
                                    "created_at": datetime.now(timezone.utc),
                                    "updated_at": datetime.now(timezone.utc),
                                },
                                continue_processing=False,
                            ),
                            {},
                        )
                    if token == "blocked-key-456":
                        # Simulate blocked key
                        raise PluginViolationError(
                            message="API key has been revoked",
                            violation=PluginViolation(
                                reason="API key revoked",
                                description="This API key has been revoked",
                                code="API_KEY_REVOKED",
                            ),
                        )

                return PluginResult(continue_processing=True), {}

            if hook_type == HttpHookType.HTTP_POST_REQUEST:
                # Add correlation ID and auth status to response
                response_headers = dict(payload.response_headers.root) if payload.response_headers else {}

                if "x-correlation-id" in payload.headers.root:
                    response_headers["x-correlation-id"] = payload.headers.root["x-correlation-id"]

                if payload.status_code and payload.status_code < 400:
                    response_headers["x-auth-status"] = "authenticated"
                else:
                    response_headers["x-auth-status"] = "failed"

                return PluginResult(modified_payload=HttpHeaderPayload(response_headers), continue_processing=True), {}

            return PluginResult(continue_processing=True), {}

        # Patch the get_plugin_manager in auth.py to return our mock
        mock_plugin_manager = MagicMock()
        mock_plugin_manager.invoke_hook = mock_invoke_hook

        # Patch where get_plugin_manager is USED (in auth.py)
        with patch("mcpgateway.auth.get_plugin_manager", return_value=mock_plugin_manager):
            # Also need to patch the middleware's plugin_manager attribute
            # Find the middleware instance and set its plugin_manager
            for middleware in app.user_middleware:
                if hasattr(middleware, "cls") and middleware.cls.__name__ == "HttpAuthMiddleware":
                    middleware.kwargs["plugin_manager"] = mock_plugin_manager

            client = TestClient(app)
            yield client

    def test_x_api_key_transformation_and_authentication(self, test_client_with_http_auth):
        """Test that X-API-Key is transformed to Authorization and user is authenticated."""
        client = test_client_with_http_auth

        # Send POST request with X-API-Key header (initialize requires POST)
        response = client.post(
            "/protocol/initialize",
            json={},
            headers={
                "X-API-Key": "test-api-key-123",
                "Content-Type": "application/json",
            },
        )

        # The X-API-Key should be transformed to Authorization: Bearer
        # Then the custom auth plugin should authenticate the user
        # Note: The actual response depends on the endpoint implementation
        # We're mainly testing that the headers flow through correctly
        assert response.status_code in [200, 400, 401, 422]  # May be 4xx if body validation fails

    def test_correlation_id_propagation(self, test_client_with_http_auth):
        """Test that correlation ID is propagated from request to response."""
        client = test_client_with_http_auth

        response = client.get(
            "/health",  # Use a simple endpoint
            headers={
                "X-Correlation-ID": "test-correlation-123",
            },
        )

        # Check that correlation ID appears in response headers
        assert response.headers.get("x-correlation-id") == "test-correlation-123"

    def test_blocked_api_key_returns_401(self, test_client_with_http_auth):
        """Test that blocked API key returns 401 with custom error message."""
        client = test_client_with_http_auth

        response = client.post(
            "/protocol/initialize",
            json={},
            headers={
                "X-API-Key": "blocked-key-456",
                "Content-Type": "application/json",
            },
        )

        # Should return 401 because the API key is blocked
        assert response.status_code == 401
        # The error message should mention revocation
        response_text = response.text.lower()
        try:
            response_json = str(response.json()).lower()
        except Exception:
            response_json = ""
        assert "revoked" in response_text or "revoked" in response_json

    def test_auth_status_header_on_success(self, test_client_with_http_auth):
        """Test that x-auth-status header is set to 'authenticated' on success."""
        client = test_client_with_http_auth

        response = client.get(
            "/health",
            headers={"X-API-Key": "test-api-key-123"},
        )

        # Check auth status header
        if response.status_code == 200:
            assert response.headers.get("x-auth-status") == "authenticated"

    def test_auth_status_header_on_failure(self, test_client_with_http_auth):
        """Test that x-auth-status header is set to 'failed' on auth failure."""
        client = test_client_with_http_auth

        # Send request without any authentication
        response = client.post(
            "/protocol/initialize",
            json={},
            headers={"Content-Type": "application/json"},
        )

        # Should fail authentication
        if response.status_code >= 400:
            assert response.headers.get("x-auth-status") == "failed"

    def test_request_id_in_response(self, test_client_with_http_auth):
        """Test that request_id is generated and can be used for tracing."""
        client = test_client_with_http_auth

        # Make request
        response = client.get("/health")

        # Request should complete (request_id is internal, not in response by default)
        # But we can verify the middleware ran by checking for other headers we add
        assert response.status_code == 200


class TestHttpAuthMiddlewareWithoutPlugins:
    """Test that the app works normally without plugin manager."""

    def test_normal_auth_without_plugins(self, app):
        """Test that normal authentication works when plugin manager is not available."""
        # Use the app without patching plugin manager
        # This should fall back to standard JWT/API token validation

        # Patch _get_plugin_manager to return None (no plugins)
        with patch("mcpgateway.plugins.framework.get_plugin_manager", return_value=None):
            client = TestClient(app)

            # Request without authentication should fail (use POST for initialize)
            response = client.post("/protocol/initialize", json={})

            # Should get 401 because no credentials provided
            assert response.status_code == 401

    def test_health_endpoint_accessible_without_auth(self, app):
        """Test that health endpoint is accessible without authentication."""
        with patch("mcpgateway.plugins.framework.get_plugin_manager", return_value=None):
            client = TestClient(app)

            response = client.get("/health")

            # Health endpoint should be accessible
            assert response.status_code == 200


@pytest.mark.asyncio
class TestPluginHookBehavior:
    """Test individual plugin hook behaviors in isolation."""

    async def test_header_transformation_preserves_original(self):
        """Test that header transformation preserves the original header."""
        # This would test the plugin logic directly without the full app
        headers = {"x-api-key": "test-key"}

        # After transformation
        headers["authorization"] = f"Bearer {headers['x-api-key']}"

        # Both headers should exist
        assert "x-api-key" in headers
        assert headers["authorization"] == "Bearer test-key"

    async def test_multiple_header_modifications_merge(self):
        """Test that multiple plugins can modify headers and they merge correctly."""
        # Original headers
        original = {"x-api-key": "key123", "user-agent": "test-client"}

        # Plugin 1 adds authorization
        modified1 = {**original, "authorization": "Bearer key123"}

        # Plugin 2 adds correlation ID
        modified2 = {**modified1, "x-correlation-id": "corr-456"}

        # All headers should be present
        assert len(modified2) == 4
        assert "x-api-key" in modified2
        assert "authorization" in modified2
        assert "x-correlation-id" in modified2
        assert "user-agent" in modified2


@pytest.mark.asyncio
class TestCustomAuthExamplePlugin:
    """Integration tests for the custom_auth_example plugin with full MCP Gateway.

    These tests verify the complete authentication flow including:
    - Successful API key authentication
    - Failed authentication (invalid keys, blocked keys)
    - Header transformation (X-API-Key → Authorization)
    - Response header modification
    - Fallback to standard JWT authentication
    - Strict mode enforcement
    """

    @pytest.fixture
    def plugin_config(self):
        """Plugin configuration for testing."""
        from mcpgateway.plugins.framework import PluginConfig

        return PluginConfig(
            name="custom_auth_example",
            kind="plugins.examples.custom_auth_example.custom_auth.CustomAuthPlugin",
            priority=10,
            config={
                "api_key_header": "x-api-key",
                "api_key_mapping": {
                    "valid-key-12345": {
                        "email": "validuser@example.com",
                        "full_name": "Valid User",
                        "is_admin": "false",
                    },
                    "admin-key-67890": {
                        "email": "admin@example.com",
                        "full_name": "Admin User",
                        "is_admin": "true",
                    },
                },
                "blocked_api_keys": ["blocked-key-99999"],
                "transform_headers": True,
                "strict_mode": False,
            },
        )

    @pytest.fixture
    def plugin(self, plugin_config):
        """Create plugin instance."""
        from plugins.examples.custom_auth_example.custom_auth import CustomAuthPlugin

        return CustomAuthPlugin(plugin_config)

    @pytest.fixture
    def strict_mode_plugin(self):
        """Create plugin instance with strict_mode enabled."""
        from mcpgateway.plugins.framework import PluginConfig
        from plugins.examples.custom_auth_example.custom_auth import CustomAuthPlugin

        config = PluginConfig(
            name="custom_auth_example",
            kind="plugins.examples.custom_auth_example.custom_auth.CustomAuthPlugin",
            priority=10,
            config={
                "api_key_header": "x-api-key",
                "api_key_mapping": {
                    "valid-key-12345": {
                        "email": "validuser@example.com",
                        "full_name": "Valid User",
                        "is_admin": "false",
                    },
                },
                "blocked_api_keys": [],
                "transform_headers": True,
                "strict_mode": True,  # Strict mode enabled
            },
        )
        return CustomAuthPlugin(config)

    async def test_http_pre_request_transforms_x_api_key(self, plugin):
        """Test that X-API-Key header is transformed to Authorization: Bearer."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPreRequestPayload, PluginContext

        payload = HttpPreRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({"x-api-key": "valid-key-12345", "content-type": "application/json"}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-001", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_pre_request(payload, context)

        assert result.modified_payload is not None, "Should return modified headers"
        assert result.modified_payload.root["authorization"] == "Bearer valid-key-12345"
        assert result.modified_payload.root["x-api-key"] == "valid-key-12345", "Original header should be preserved"
        assert result.metadata["transformed"] is True
        assert result.metadata["original_header"] == "x-api-key"

    async def test_http_pre_request_does_not_override_existing_authorization(self, plugin):
        """Test that existing Authorization header is not overridden by X-API-Key."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPreRequestPayload, PluginContext

        payload = HttpPreRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload(
                {"x-api-key": "valid-key-12345", "authorization": "Bearer existing-token", "content-type": "application/json"}
            ),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-002", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_pre_request(payload, context)

        # Should not modify headers when Authorization already exists
        assert result.modified_payload is None or result.modified_payload.root.get("authorization") == "Bearer existing-token"

    async def test_http_pre_request_no_transformation_without_x_api_key(self, plugin):
        """Test that no transformation occurs without X-API-Key header."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPreRequestPayload, PluginContext

        payload = HttpPreRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({"content-type": "application/json"}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-003", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_pre_request(payload, context)

        assert result.continue_processing is True
        # Should not return modified payload if no transformation occurred
        assert result.modified_payload is None or "authorization" not in result.modified_payload.root

    async def test_http_auth_resolve_user_valid_api_key(self, plugin):
        """Test successful user authentication with valid API key."""
        from mcpgateway.plugins.framework import GlobalContext, HttpAuthResolveUserPayload, HttpHeaderPayload, PluginContext

        payload = HttpAuthResolveUserPayload(
            credentials={"scheme": "Bearer", "credentials": "valid-key-12345"},
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-004", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_auth_resolve_user(payload, context)

        assert result.modified_payload is not None, "Should return authenticated user"
        assert result.modified_payload["email"] == "validuser@example.com"
        assert result.modified_payload["full_name"] == "Valid User"
        assert result.modified_payload["is_admin"] is False
        assert result.modified_payload["is_active"] is True
        assert result.continue_processing is False, "Should not continue to standard JWT validation"
        assert result.metadata["auth_method"] == "api_key"

    async def test_http_auth_resolve_user_admin_api_key(self, plugin):
        """Test admin user authentication with admin API key."""
        from mcpgateway.plugins.framework import GlobalContext, HttpAuthResolveUserPayload, HttpHeaderPayload, PluginContext

        payload = HttpAuthResolveUserPayload(
            credentials={"scheme": "Bearer", "credentials": "admin-key-67890"},
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-005", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_auth_resolve_user(payload, context)

        assert result.modified_payload is not None
        assert result.modified_payload["email"] == "admin@example.com"
        assert result.modified_payload["full_name"] == "Admin User"
        assert result.modified_payload["is_admin"] is True
        assert result.continue_processing is False

    async def test_http_auth_resolve_user_blocked_api_key(self, plugin):
        """Test that blocked API key raises PluginViolationError."""
        from mcpgateway.plugins.framework import GlobalContext, HttpAuthResolveUserPayload, HttpHeaderPayload, PluginContext, PluginViolationError

        payload = HttpAuthResolveUserPayload(
            credentials={"scheme": "Bearer", "credentials": "blocked-key-99999"},
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-006", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        with pytest.raises(PluginViolationError) as exc_info:
            await plugin.http_auth_resolve_user(payload, context)

        assert "revoked" in exc_info.value.message.lower()
        assert exc_info.value.violation.code == "API_KEY_REVOKED"

    async def test_http_auth_resolve_user_invalid_api_key_fallback(self, plugin):
        """Test that invalid API key falls back to standard authentication (non-strict mode)."""
        from mcpgateway.plugins.framework import GlobalContext, HttpAuthResolveUserPayload, HttpHeaderPayload, PluginContext

        payload = HttpAuthResolveUserPayload(
            credentials={"scheme": "Bearer", "credentials": "invalid-key-unknown"},
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-007", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_auth_resolve_user(payload, context)

        # In non-strict mode, should fall back to standard JWT validation
        assert result.continue_processing is True, "Should continue to standard JWT validation"
        assert result.modified_payload is None or isinstance(result.modified_payload, dict) and not result.modified_payload

    async def test_http_auth_resolve_user_invalid_api_key_strict_mode(self, strict_mode_plugin):
        """Test that invalid API key raises error in strict mode."""
        from mcpgateway.plugins.framework import GlobalContext, HttpAuthResolveUserPayload, HttpHeaderPayload, PluginContext, PluginViolationError

        payload = HttpAuthResolveUserPayload(
            credentials={"scheme": "Bearer", "credentials": "invalid-key-unknown"},
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-008", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        with pytest.raises(PluginViolationError) as exc_info:
            await strict_mode_plugin.http_auth_resolve_user(payload, context)

        assert "invalid" in exc_info.value.message.lower()
        assert exc_info.value.violation.code == "INVALID_API_KEY"
        assert exc_info.value.violation.details["strict_mode"] is True

    async def test_http_auth_resolve_user_no_credentials_fallback(self, plugin):
        """Test that missing credentials falls back to standard authentication."""
        from mcpgateway.plugins.framework import GlobalContext, HttpAuthResolveUserPayload, HttpHeaderPayload, PluginContext

        payload = HttpAuthResolveUserPayload(
            credentials=None,
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        global_context = GlobalContext(request_id="test-req-009", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_auth_resolve_user(payload, context)

        assert result.continue_processing is True
        assert result.metadata["custom_auth"] == "not_applicable"

    async def test_http_post_request_adds_correlation_id(self, plugin):
        """Test that correlation ID is propagated from request to response."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPostRequestPayload, PluginContext

        payload = HttpPostRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({"x-correlation-id": "test-corr-123"}),
            client_host="192.168.1.100",
            client_port=54321,
            response_headers=HttpHeaderPayload({}),
            status_code=200,
        )
        global_context = GlobalContext(request_id="test-req-010", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_post_request(payload, context)

        assert result.modified_payload is not None
        assert result.modified_payload.root["x-correlation-id"] == "test-corr-123"

    async def test_http_post_request_adds_auth_status_success(self, plugin):
        """Test that x-auth-status header is set to 'authenticated' on successful requests."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPostRequestPayload, PluginContext

        payload = HttpPostRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
            response_headers=HttpHeaderPayload({}),
            status_code=200,
        )
        global_context = GlobalContext(request_id="test-req-011", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_post_request(payload, context)

        assert result.modified_payload is not None
        assert result.modified_payload.root["x-auth-status"] == "authenticated"

    async def test_http_post_request_adds_auth_status_failure(self, plugin):
        """Test that x-auth-status header is set to 'failed' on failed requests."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPostRequestPayload, PluginContext

        payload = HttpPostRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
            response_headers=HttpHeaderPayload({}),
            status_code=401,
        )
        global_context = GlobalContext(request_id="test-req-012", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)

        result = await plugin.http_post_request(payload, context)

        assert result.modified_payload is not None
        assert result.modified_payload.root["x-auth-status"] == "failed"

    async def test_http_post_request_adds_auth_method_from_context(self, plugin):
        """Test that auth method from local context is added to response headers."""
        from mcpgateway.plugins.framework import GlobalContext, HttpHeaderPayload, HttpPostRequestPayload, PluginContext

        payload = HttpPostRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({}),
            client_host="192.168.1.100",
            client_port=54321,
            response_headers=HttpHeaderPayload({}),
            status_code=200,
        )
        global_context = GlobalContext(request_id="test-req-013", server_id=None, tenant_id=None)
        context = PluginContext(global_context=global_context)
        context.state["auth_method"] = "api_key"  # Simulate auth resolution hook setting this

        result = await plugin.http_post_request(payload, context)

        assert result.modified_payload is not None
        # Note: x-auth-method comes from local_context which isn't being used correctly yet
        # assert result.modified_payload.root.get("x-auth-method") == "api_key"

    async def test_complete_flow_x_api_key_to_authenticated_user(self, plugin):
        """Test complete authentication flow from X-API-Key to authenticated user.

        This test simulates the complete flow:
        1. HTTP_PRE_REQUEST: X-API-Key → Authorization: Bearer
        2. HTTP_AUTH_RESOLVE_USER: Validate API key and return user
        3. HTTP_POST_REQUEST: Add response headers
        """
        from mcpgateway.plugins.framework import (
            GlobalContext,
            HttpAuthResolveUserPayload,
            HttpHeaderPayload,
            HttpPostRequestPayload,
            HttpPreRequestPayload,
            PluginContext,
        )

        request_id = "test-req-014"

        # Step 1: HTTP_PRE_REQUEST - Transform headers
        pre_payload = HttpPreRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload({"x-api-key": "valid-key-12345", "content-type": "application/json"}),
            client_host="192.168.1.100",
            client_port=54321,
        )
        pre_global_context = GlobalContext(request_id=request_id, server_id=None, tenant_id=None)
        pre_context = PluginContext(global_context=pre_global_context)

        pre_result = await plugin.http_pre_request(pre_payload, pre_context)

        assert pre_result.modified_payload is not None
        transformed_headers = pre_result.modified_payload.root

        # Step 2: HTTP_AUTH_RESOLVE_USER - Authenticate user
        auth_payload = HttpAuthResolveUserPayload(
            credentials={"scheme": "Bearer", "credentials": "valid-key-12345"},
            headers=HttpHeaderPayload(transformed_headers),
            client_host="192.168.1.100",
            client_port=54321,
        )
        auth_global_context = GlobalContext(request_id=request_id, server_id=None, tenant_id=None)
        auth_context = PluginContext(global_context=auth_global_context)

        auth_result = await plugin.http_auth_resolve_user(auth_payload, auth_context)

        assert auth_result.modified_payload is not None
        user = auth_result.modified_payload
        assert user["email"] == "validuser@example.com"

        # Step 3: HTTP_POST_REQUEST - Add response headers
        post_payload = HttpPostRequestPayload(
            path="/protocol/initialize",
            method="POST",
            headers=HttpHeaderPayload(transformed_headers),
            client_host="192.168.1.100",
            client_port=54321,
            response_headers=HttpHeaderPayload({}),
            status_code=200,
        )
        post_global_context = GlobalContext(request_id=request_id, server_id=None, tenant_id=None)
        post_context = PluginContext(global_context=post_global_context)
        post_context.state["auth_method"] = auth_result.metadata["auth_method"]  # Simulate context from auth hook

        post_result = await plugin.http_post_request(post_payload, post_context)

        assert post_result.modified_payload is not None
        response_headers = post_result.modified_payload.root
        assert response_headers["x-auth-status"] == "authenticated"
        # Note: x-auth-method comes from local_context which isn't being used correctly yet
        # assert response_headers.get("x-auth-method") == "api_key"
